# `react-doctor/auth-token-in-web-storage`

Auth token in web storage

- **Category:** Security
- **Severity:** warn
- **Source:** oxlint-plugin-react-doctor
- **Framework:** global
- **Enabled when:** always

## Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm the reported code matches Auth token in web storage. Check the framework context and diagnostic message before suppressing it.

## Fix prompt

Use this once validation confirms the diagnostic is real.

Don't persist auth tokens (JWTs, access/refresh tokens, secrets) in `localStorage`/`sessionStorage`; they're readable by any XSS. Use an `HttpOnly` cookie set by the server.
